Getting the function definition from oid in before firing the function
Dear Postgres Team,
For my thesis about secure access control for database systems I need to
implement a new decision algorithm for deciding if commands can be
executed. For that algorithm to work I need to keep a stack that holds
all the commands that are currently running, like a stacktrace.
Each stack entry should contain the following:
- Session user
- User that runs the command (differs if we have security definer on
triggers)
- Command
- Oid of trigger (if it is one)
Now my problem consists of two steps:
- First I need to decide if the algorithm supports the trigger type
(only of LANGUAGE PLPGSQL).
- Second I need to get the SQL command that the function will execute.
What I tried was the following:
In the file trigger.c I have found the location where the function is
called. There I have access to the FunctionCallInfoData struct.
I have seen on
http://www.postgresql.org/docs/9.4/static/functions-info.html that there
is a function which should return the functions definition as a Datum
from the function oid. Now this is a bit weird since in the source code
the function expects a pointer to a FunctionCallInfoData struct, which
is no problem since I have access to both there.
But when I pass the the pointer to the FunctionCallInfoData I always get
an error stating that the cache lookup failed. I really don't know why,
since when I investigate the struct fcinfo in gdb it has valid entries
and also the oid of the function is accessible.
I would be glad for some help here.
Also another problem that I have at the moment is the following:
My advisor wanted to have a uniform interface for access control, thus I
have refactored the code of postgres and moved the relevant access
control parts to a new module (src/backend/access_control). Now I have
put the header files in src/include/access_control. What I don't quite
get is how to get make a Makefile that delivers the object files as
postgres needs them to link them to the main binary. Is it enough to
make a Makefile that just creates the object files and leaves them in
the correct folder for the root Makefile to pick them up or do I need to
modify the root Makefile too?
Thank you very much for your help in advance, for both problems I have
tried many variations and researched quite much, but did not find a
solution.
Kind regards,
Mohammed Ajil
--
--------------------------------------------
Mohammed Ajil
Bsc CS D-INFK
ajilm@student.ethz.ch
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 1/5/16 8:13 AM, Mohammed Ajil wrote:
Now my problem consists of two steps:
- First I need to decide if the algorithm supports the trigger type
(only of LANGUAGE PLPGSQL).
plpgsql is NOT the only language that supports triggers.
- Second I need to get the SQL command that the function will execute.
What I tried was the following:
In the file trigger.c I have found the location where the function is
called.
I think triggers is the wrong way to approach this; it's full of holes
(not the least of which is triggers don't fire on SELECT). You'd be much
better off with an executor hook.
Have you looked at https://github.com/2ndQuadrant/pgaudit?
--
Jim Nasby, Data Architect, Blue Treble Consulting, Austin TX
Experts in Analytics, Data Architecture and PostgreSQL
Data in Trouble? Get it in Treble! http://BlueTreble.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Hi,
Thanks for your answer!
I know that this is not the only language for triggers, but the
algorithm I have to implement only supports these triggers.
I have looked at the audit trigger, but that is not quite what I am
trying to achieve. I have implemented the stack push and pop for the
initial commands at another location, what I am trying to do now is keep
track of what triggers are fired, since they recursively can fire more
triggers.
What is an executor hook?
Regards,
Mohammed
On 01/06/2016 03:20 AM, Jim Nasby wrote:
On 1/5/16 8:13 AM, Mohammed Ajil wrote:
Now my problem consists of two steps:
- First I need to decide if the algorithm supports the trigger type
(only of LANGUAGE PLPGSQL).plpgsql is NOT the only language that supports triggers.
- Second I need to get the SQL command that the function will execute.
What I tried was the following:
In the file trigger.c I have found the location where the function is
called.I think triggers is the wrong way to approach this; it's full of holes
(not the least of which is triggers don't fire on SELECT). You'd be much
better off with an executor hook.Have you looked at https://github.com/2ndQuadrant/pgaudit?
--
--------------------------------------------
Mohammed Ajil
Bsc CS D-INFK
ajilm@student.ethz.ch
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Wed, Jan 6, 2016 at 4:29 PM, Mohammed Ajil <ajilm@student.ethz.ch> wrote:
What is an executor hook?
Here you go, with a particular focus on the ones names Executor*_hook:
https://wiki.postgresql.org/images/e/e3/Hooks_in_postgresql.pdf
--
Michael
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general